Tag Archives: Wi-Fi Pineapple

WLAN Security- Attack Yourself to Stay Sharp

Back in February of this year, I ran a “Deep Dive” session at the WLAN Professional’s Conference. The session description:
WLPC18sessionThis session was well-attended, and we had a lot of fun getting through a number of attacks. Since then, I’ve had a few occasions to break out the Pineapple again. Just the other day I was monkeying with something…

Pine3

Which inspired me to put together a blog at my OTHER site, IT Toolbox. Have a look here and see if you agree that hacking yourself once in a while is a prudent thing to do.

 

Here’s What I Want NOW From My Wireless Management System

When it comes to the management and security of wireless networks, I want a lot of things. I want new things, and I want legacy things that aren’t going away to get better. I want slick, I want fast and I want effective. I want powerful, feature-rich, and a say in what features are worth devoting UI resources to. I want it all, baby- and here’s my latest rant on the topic. You’re going to love this.

Before I drop the bomb, lets set the stage.

I had the privilege of hanging out with the fellows from 7signal at the recent Wireless Field Day 5 event, and seeing how they do WLAN RF health characterization,  as well as getting a peek at what AirTight is up to. Being a long-time Cisco wireless customer, my mushy brain cant help but bring everything back to my vendor for comparison; but more on this in just a bit.

In my spare time, I’ve been having more fun than a person should be allowed to with the addicting Wi-Fi Pineapple (along with some tricks from the much-revered BackTrack Linux.) And at work, we’re gearing up for thousands of students to flood back into the dorms, which means Rogue Hunting Season is neigh. Put all this together and feed it into the “It’s Easy For Me To Demand Things From Other People That I Can’t Do” engine, and out pops the following wireless support and security gem:

Wouldn’t it be cool if…

  • You could take one of your in-service APs and turn it into a virtual client that associates with other APs? (stay with me, I know you’ve heard this part before)
  • Synthetic testing with said virtual client was possible: do my DHCP and RADIUS servers work? Can I reach the Internet? Can I reach other locations, from each of my SSIDs?
  • The virtual client AP could report on nearby rogue networks, after I set a min threshold value, (getting closer to the money shot) and tell- Is the SSID open or protected?
  • My virtual client could associate to the open SSIDs, and report back what the public IP is of the rogue?  (I could find it then through MAC or ARP tables if on my own network- doesn’t need to be automated)
  • Here’s the LAGNIAPPE, baby- If the rogue SSID was encrypted, I’d like my virtual client to execute Aircrack-NG, Reaver, Fern, or whatever. Somehow, the power of my management system harnessed to this virtual client/pen testing-mode AP would give me a big-assed, infinite dictionary from hell and lots of power to crack. Then I could go back to the “find the public IP” step, which to me is the ultimate and definitive “game over” versus a lot of wireside detection systems that are so-so with their success rates.

I know there are lots of ways to do “wireless support”, but I am enamored with the force-multiplying capabilities of a well-constructed virtual client mode for installed APs (as I imagine them working). I’ve been beating the drum for Cisco to consider basic virtual client functionality for years, to no avail.

But now I want even more- I want a “virtual client AP meets BackTrack Linux, and they have offspring” mode.

I’m not asking for too much, am I?

Good Pineapple, Bad Pineapple, Educational Pineapple

Years ago, I got certified in CWSP and also taught wireless security for a while. I took an amazing class from SANS back in 2008, and had the honor of having Joshua Wright as the instructor. I’ve written a fair amount of wireless policy, designed networks that use 802.1x, VPN, Encryption Gateways and almost any other mainstream (or slightly off the beaten path) security method available, and have done the PCI and HIPA wireless things. I got really good at finding rogue APs through network clues, combined with “other” elements of information that many in wireless might find atypical (thank you, ten years in a fascinating Air Force career field). I like to think that even though it’s not my current core competency, I generally “get it” when it comes to wireless security.

But my goodness, what a pineapple is teaching me.

OK, it’s not a real pineapple- it’s a cute little router warmed over with bastardized Open-WRT firmware. And it’s teaching me (and reminding me of many things I’d forgotten) a lot about general wireless security.

Part of the experience, as I contemplate why I’m enjoying this evil little toy so much, is where it falls on my own timeline. My Linux skills used to be a lot stronger than they are now for lack of use, phishing is becoming commonplace, and I’m part of a society that is generally both more mobile and hyper-willing to jump on any open WLAN they can find. For me, the Wi-Fi Pineapple is providing hours of entertainment and serving as a self-guided training course of sorts in wireless security, penetration testing, and being an absolute pain in the ass to those nearby.

Once you get set up (spring for the thumb drive, it’s pretty much essential), there are roughly a couple of dozen “infusions” or packages to install. Some amount to stand alone hacks/tricks, others work in concert to pull off the likes of a sophisticated phishing attack.

I’m basically working through the list, getting competent in each infusion as I go. This is accomplishing the following for me:

  • making me dust off past Linux command skills
  • making me think about why what I’m doing is working, or not
  • taking my brain to wireless places that I don’t have to think about day to day
  • making me much more paranoid and careful about using public Wi-Fi
  • helping me to understand the mechanics of a number of wireless attacks
  • putting me in a better position to participate in, defend against, and converse about wireless pen testing by making the attacks easy to do and demonstrate
  • providing great fun- who doesn’t like Rick-rolling family members?

Those who are deeper into real wireless security or have good scripting skills might wave off the Pineapple as something you can do yourself for cheaper and without the pre-packaging. I don’t debate the point, but I also know that I find great value in the support forums and slew of Pineapple related videos available all over the Internet. I like that the Pineapple is a starting point, and that lots of people who try to use it get frustrated- it shows that you still need to think and experiment at least somewhat. Your experience, curiosity, threshold for cheap-thrills, and general knowledge will have direct bearing on how much value you get out of the experience.

This little unit is great fun, but after playing with it I can say this: the thought of a secret army of Pineapple soldiers out among the common folks in public wireless cells is a bit disturbing. It’s worth reading about, if for nothing more than knowing what kind of relatively-easy-to-use potentially bad stuff (it’s just a tool, it only becomes bad when the user opts to go that way with it) is out there.